For enterprise security teams, a zero-day vulnerability being exploited in the wild means going into fire-fighting mode to find and fix vulnerable systems. New statistics suggest that having the most recent version of Windows can buy defenders extra time to deal with the issues.
In an analysis of zero-day exploitation attempts between 2015 and 2019, Matt Miller, a security engineer with the Microsoft Security Response Center, found that Windows zero-days generally don’t work against the latest version of the operating system. Only about 40 percent of attacks using Windows zero-day vulnerabilities in the latest version of Windows were successful, Miller said.
“This highlights that staying current with the latest version of Windows has remained a good defense for many of the zero day exploits observed in the wild that target Windows CVEs due in large part to the mitigations being added each release,” Miller said on Twitter.
The beginning of the research window coincides with the year Windows 10 was released. Windows 10 has several security mitigations that protect the operating system from abuse, including Control Flow Guard and Device Guard. Even in cases where the vulnerability was present in the latest version of Windows, two out of three attacks didn’t work because of security mitigations Microsoft had added to the operating system, Miller said.
Miller’s research, which will be presented at the upcoming Usenix WOOT 19 security conference (Trends and Challenges in the Vulnerability Mitigation Landscape), is interesting because it goes beyond operating systems. Windows 10 is considered the most secure Windows to date, so it makes sense that users on Windows 10 would be less vulnerable than those on Windows 7. Miller’s point is that even within Windows 10, Microsoft is refining the mitigations to make the operating system less vulnerable. When he is talking about the latest version, he is referring to the “latest major release of Windows at the time that the issue was patched.” Right now, that would mean Windows 10 1903.
Attackers tend to have more success with zero-day vulnerabilities if they look in older Windows versions, rather than in the most recent release. That includes end-of-life operating systems such as Windows XP, near-end-of-life versions such as Windows 7, as well as earlier releases of Windows 10, such as Windows 10 1809 and Windows 10 1803.
Earlier this year, Millar shared statistics at Microsoft’s BlueHat security conference in Israel showing that Windows vulnerabilities are most likely to be exploited as a zero day before patches are released, or months later when the attention has moved on but patching schedules lag behind.
Miller also shared that 70 percent of security vulnerabilities addressed by Microsoft in the past 12 years were memory management-related issues. Heap out-of-bounds read, type confusion, and uninitialized use issues have increased over the past few years. Use-after-free issues peaked between 2013 and 2015, and have been dropping since the use-after-free exploit mitigation MemGC was introduced in Microsoft Edge and Internet Explorer on Windows 10.
The reality of enterprise IT is that not everything gets updated the day—the week—the patch comes out. But if the security team maintains a regular schedule of testing and deploying Windows updates, they can rely on a certain level of protection from the mitigations Microsoft has built into the operating system.
Past research has shown that despite all the attention paid to zero-day vulnerabilities, the bulk of attacks typically involve vulnerabilities that had already been patched months—or years—ago. In an analysis of almost four million posts that appeared on dark web forums between May 2018 and May 2019, Recorded Future researchers found that many of the popular malware variants available for sale target vulnerabilities that are several years old. The attacks are effective and popular because there are enough systems that haven’t been patched yet. For criminals, getting working malware quickly is far more important than getting a sophisticated one.